With the increasing user acceptance of performing purchasing transactions over a data network, such as the World Wide Web (hereinafter “web”) or the Internet, merchants who host web sites at which users may purchase (or, at least, learn about) their products have an obvious financial interest in continuously attempting to improve the user's experience. Mass customization refers to the creation of a customized experience for online buyers by using technology that responds to their individual requirements and interests, see, e.g., J. Nelson, “Mass-Customization Marketing: Maximizing Value of Customers,” IDC Bulletin #17726, December 1998, the disclosure of which is incorporated by reference herein. “Customization” is sometimes also called “personalization,” though personalization also conveys the meaning of web content that the user can explicitly configure. For example, a user might create a personalized web page at a site by telling the site which stock quotes to display whenever the user visits. Here, we are primarily concerned with content that a site predicts the user will like based on information inferred about the user, rather than by explicit user instruction. Customization typically employs data mining and/or collaborative filtering to predict content that is likely to be of interest to that visitor, and presentation of customized content to the visitor at opportune moments. Customization can be particularly effective when the user identifies himself or herself explicitly to the web site. In this case, customization can be much more “accurate,” in the sense that the site can employ the specific user's past browsing and purchasing history at that site to predict what content will be most effective for this user.
Global customization, by which a user's web history is shared across many merchant sites, is practiced today in several forms. A predominant form of such global customization is “ad networks” such as DoubleClick™. In this form, information about a visitor's activities at a merchant site is passed to DoubleClick™ via image hypertext links in the merchant's page. In response to these requests, DoubleClick™ returns banner advertisements customized to these activities. This customization is “global” in that this information is collected into a profile for the user (or more precisely, the browser) that is used to customize ads for the same user on his or her future visits to DoubleClick™-enabled sites.
Recently, even more ambitious sharing of consumer web activity has been developed by companies such as Angara™ and I-behavior™ (or Net Perception™). Both companies profile users, Angara using an opt-out approach and I-behavior using an opt-in approach, and provide targeted information to merchants about a user for the purposes of customization. However, none of these existing approaches provide support for users and merchants to specify policies that limit who can obtain information they contribute.
Further, electronic wallets, such as the Microsoft Passport™ and the Java Wallet™, may offer possibilities for global customization. Wallets vary with respect to what information they retain about user activities, and to what extent they share this information with participating merchants. However, to the extent that they do retain information (for example, they often retain receipts for purchases), such wallets pose a privacy risk to both users and merchants. From the user perspective, these wallets hold identifying information for the user in conjunction with any behavioral information, and, therefore, stored behavioral profiles are not anonymous. Moreover, to the extent that behavioral information is conveyed to merchants, merchants are unable to specify data protection policies about how information they contribute is to be shared with others. The above-mentioned privacy risks have been cited as a major tension between wallet vendors and both online merchants and users; see, e.g., K. Cassar et al., “Digital Wallets, Pursuing Dual Wallet Strategy Before Leverage is Lost,” Jupiter Strategic Planning Services/DCS99-14, February 1999, the disclosure of which is incorporated by reference herein.
Still further, pseudonymous e-mail addresses, or “nyms,” are known to be used in e-mail applications, see, e.g., D. Maziéres et al., “The design, implementation, and operation of an email pseudonym server,” Proceedings of the 5th ACM Conference on Computer and Communication Security, pages 27–36, November 1998; and I. Goldberg et al., “Freedom Network 1.0 architecture,” November 1999, the disclosures of which are incorporated by reference herein. Users post to newsgroups or send emails under a nym in a way that recipients may not easily be able to correlate multiple nyms as being the same user. However, nyms do not provide mechanisms and support for users and merchants to specify policies that limit who can obtain information they contribute such that global customization of network content may be performed in a sufficiently privacy-preserving manner.